I picked up another similar listener to the Groupon one the other day. This again is an attached ZIP file with an exe inside.

It says its from paypai.com depending on your font the i will look like a L.

The exe looks like it has been reused but I don’t see any mention of it’s original file name. The original name appears to have been stickiestfilm.exe md5 42bbb627d3bcc12745e8a6fbd4b2c825.

It also appears to have been used in several other campaigns according to it’s technical data.
https://www.virustotal.com/file/a9cbb0ac7ce189f4340fd23f295b118b28d74709c47205fed58c464e0ffcd942/analysis/

So far the only behavior I have seen is that it opens a command shell on local port 8000 TCP and awaits incoming connections. I did not see it send any out bound packets of yet.

First I have to say that I dislike having to do this. My main problem is that if you are going to take the time to pack and attempt to protect your EXE, it’s obvious that you are up to no good.

For legitimate applications there is times when you would want to do this, but if it’s some random EXE from a payload…

In my cases I try to avoid working with the source file, I will do as much as possible by running it a lab. But you can miss timed actions and other types of triggers. Also there is hardly a magic bullet to deal with these, as a start I use PEiD. After that is all about what packs that EXE and you tracking it down. If a generic tool won’t unpack it you are in for a fun day looking for something.

In other cases if the file is packed all at once, but it does not have any defense mechanisms you can dump the running EXE from memory. Sometimes you can have a file that has multiple sections packed, then you can mix in some anti-analysis tools and its not a enjoyable process.

Ecuador says that the UK is threatening to enter it’s embassy to arrest Mr.Assange. Ahead of the annoucmance on Thursday on if they will allow asylum. I don’t know how much stranger this whole thing can get.

When doing analysis I try to keep away from the infection machine, I keep my lab statically setup with an IP, and DNS, Gateway pointing at another machine. For a basic target all you need to do is have tcpdump running to capture any networking requests. If you want to get more complicated you can start emulating services like DNS and WWW.

In most cases the basic connection information will give you just enough to create an IDS/IPS signature.

I watched this TED video a couple weeks ago, and had a similar thought.

Well except the Aussie break was before the data retention law. But it’s not a stretch to see some sort of breach. To me it would be more something that an insider would do like BManning, but either scenario will do what is needed.

The good news is the detection ratio is now up considerably since I first started working with this sample. Initially 2 of 41 scanners detected the sample when I first got a hold of it, now it’s 28 of 41. The bad news is that I have been stepping it through a debugger and there is a couple SEH chains to follow but so far I have found nothing new.

About This Blog

A blog for system administrator and managers looking for explanations of vulnerabilities and exploits, with special attention paid to virtualization tips and tricks. Irregular Expressions will go into detail explaining the why and how of vulnerabilities and accompanying exploits.